Accessing personal information online has increasingly become common place, as it has become a convenient and efficient way to manage one's affairs. For example, users may access their bank accounts online to view balances and transactions, transfer money, pay bills, etc. Although the ability to access such information provides convenience, it also raises the potential of security threats to sensitive information.
One example of a threat to personal information is a phishing attack, in which a user may be taken to or redirected to a fake website to gather personal information such as a username, password, social security number, date of birth, credit card information, etc. For example, communications purporting to be from a popular social website, auction site, online payment processor, etc. may be used to lure an unsuspecting user into providing personal information.
Another example of a threat to personal information is a pharming attack, in which a user may be redirected to a fake website by a false domain name service (DNS) record, effectively redirecting the traffic from the intended website to a the fake website. For example, this may be done by changing a DNS host file after breaching the DNS server.
Some techniques for preventing these attacks may include browser-based website verification performed via a browser plug-in. However, these verification techniques may be unable to prevent pharming attacks. In some cases, phishing may be avoided by using secure socket layer (SSL) or transport layer security (TLS) with strong public key infrastructure (PKI) encryption (e.g., using public key certificates), where a uniform resource identifier (URI) (e.g., a uniform resource locator (URL)) for a website is used as an identifier. Generally, secure authentication using SSL or TLS and certificates may include indicating that a connection is in authentication mode, indicating which website a user is connected to, and indicating which authority (e.g., certificate authority) authenticates the identity of the website. However, this authentication process may be easy to circumvent, because the authentication is typically confirmed by the user, introducing user error. Additionally, because these current techniques for preventing attacks are purely software-based, they may be ineffective against some threats to personal information (e.g., if the user's own computer is compromised).